Remove Root Password

Hi,

I have one linux machine on which i want to delete the root password.My aim is to issue some commands(mostly which require root priviledge) from remote machines and for which i'm thinking of issuing rsh(not the kerberos rsh) from remote machines.i.e.[user@remote] /usr/bin/rsh -l root

To achieve the same, i did:[root@target] passwd -d root[root@target] service sshd restart

After this i checked the /etc/shadow file on and it'sentry was removed, but still the target machine prompts for passwordand as i've already deleted the password, hence even if i provide thecorrect last password, it doesn't work ;(

Re: Remove Root Password

First, the sshd service is not at all related to rsh access. The service used by the rsh client is named "rshd". In modern Linuxes, it is not installed by default: you must actively choose to install and enable it.

And by the way, there is no need to restart sshd if you change (or even delete) passwords: sshd will detect the change automatically.

Many remote login services in Linux have a safety feature: if an account has no password, it cannot be used for remote connections. This is usually implemented with the PAM settings (in the /etc/pam.d directory): either the "auth" section for the service does not have the "nullok" option, or it uses the "nullok_secure" option which allows only local logins if password is not set.

Sometimes other accounts will be allowed to go without passwords, but the root account is the most likely to have this protection.

This feature was developed because too many newbie Linux users connected their machines to the Internet with no passwords or any other protection, got their machines hacked, and then complained about it to the builders of their Linux distribution.

With remote logins, the machine will always prompt for a password, even if the specified user account is locked or even non-existent: this is to prevent anyone with no valid user account from finding out which usernames do exist on the system.

My advice: *never* allow a passwordless root account. Leaving a root account without a password is a quick way to lose a sysadmin job if someone requires a security audit. A good Unix sysadmin should *instinctively* react to passwordless root accounts with the deepest suspicion.

Re: Remove Root Password

As a Unix security auditor, I immediately mark as 'non-compliant' any system that uses remsh, rsh or any of the Berkley-style remote services. They are hideously, notoriously unsecure and should be eliminated from your systems. Do not write scripts or use any procedures that use them!

Secure shell is so easy to install and use, (its free) that there is no reason to use anything else. It even scripts much more nicely than the Berkley processes do.

Re: Remove Root Password

Set a password for root. Not having a root password is just stupid IMO. Then use ssh between boxes. To make it more secure create a pub/priv key for root (without a pass phrase). And then set

PermitRootLogin without-password

in sshd_config. By doing this root can only login with key authentication. The other part I like is that even if you know root's password it won't let you login.

"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"

Re: Remove Root Password

Also, you could just setup sudo access for a user on the box and just run the sudo commands remotely via ssh.

"The difference between me and you? I will read the man page." and "Respect the hat." and "You could just do a search on ITRC, you don't need to start a thread on a topic that's been answered 100 times already." Oh, and "What. no points???"